Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Definition

...

Master boot record (MBR) is a boot sector typically found in the first sector of a partitioned storage device. It is one of two disk structures used by Windows operating systems (the other structure is known as a GUID partition table or GPT).

...

The following table describes the components of the MBR (offsets are shown from the start of the MBR):

Byte offsetNumber of bytesDescriptionValue
0440Boot code used to launch the operating system
4404Drive signature (hexadecimal string)
4442
00 00
44664Master partition table (four 16-byte entries to describe partitions).
510Marker to notate the end of the MBR55 AA

The partition table is comprised of four 16-byte entries that define the size, type, and location of logical volumes on the device. Each entry containsThe following table describes the fields in each 16-byte entry in the partition table (offsets are shown from the start of the partition entry, not the start of the MBR):

Byte offsetNumber of bytesDescriptionValue
01Boot indicator - Indicates whether the volume is the active partition (i.e., bootable). 00 for "do not use for booting" and 80 for "active partition."00 or 80
Starting CHS address (3 bytes)
11Starting head
26 bitsStarting sector - uses bits 0-5. Bits six and seven are used by the starting cylinder field
210 bitsStarting cylinder uses 1 byte in addition to the upper two bits from the starting sector field to make up the cylinder value. The starting cylinder is a 10-bit number, with a maximum value of 1023
4
Partition type (file system ID)
Ending CHS address (3 bytes)
51Ending head
66 bitsEnding sector -uses bits 0-5. Bits six and seven are used by the ending cylinder field.
610 bitsEnding cylinder - uses 1 byte in addition to the upper two bits from the ending sector field to make up the cylinder value. The ending cylinder is a 10-bit number, with a maximum value of 1023
84Relative sectors (LBA offset to the partition) - The offset from the beginning of the disk to the beginning of the logical volume
124Total sectors (length of the partition) - Total number of sectors in the logical volume

Examine the MBR

...

Forensic tools like FTK Imager allow archivists to examine the MBR. The MBR is displayed in the Viewer Pane when the highest level of the evidence item is selected in the Evidence Tree.

...